156-215.81 Exam Dumps - Check Point Certified Security Administrator R81.20

 A security gateway is a device that enforces the security policy on the traffic that passes through it. There are three deployment options available for a security gateway: Standalone, Distributed, and Bridge Mode. Standalone means that the security gateway and the security management server are installed on the same machine. Distributed means that the security gateway and the security management server are installed on separate machines. Bridge Mode means that the security gateway acts as a transparent bridge between two network segments, without changing the IP addressing scheme1. References: Check Point R81 Security Gateway Technical Administration Guide

The types of Software Containers are Security Management, Security Gateway, and Endpoint Security. Software Containers are virtual environments that run on top of Gaia OS and allow multiple instances of Check Point products to coexist on the same physical machine. The other options are not valid types of Software Containers.

The correct answer is D because from SecureXL perspective, the three paths of traffic flow are Firewall Path, Accelerated Path, and Medium Path3. The Firewall Path is used when SecureXL is disabled or traffic is not eligible for acceleration3. The Accelerated Path is used when SecureXL handles the entire connection and bypasses the Firewall kernel3. The Medium Path is used when SecureXL handles part of the connection and forwards packets to the Firewall kernel for further inspection3. The other options are not valid paths of traffic flow from SecureXL perspective3. References: Check Point R81 Performance Tuning Administration Guide

 The statement that information on a user is hidden, yet distributed across several servers is not an advantage to using multiple LDAP servers. LDAP (Lightweight Directory Access Protocol) is a protocol that allows access to a centralized directory service that stores information about users, groups, devices, etc. Using multiple LDAP servers can provide advantages such as faster access time, compartmentalization, and high availability, but not hiding information. Information on a user is not hidden by using multiple LDAP servers, but rather replicated or partitioned across them. Replication means that the same information is copied to all LDAP servers, while partitioning means that different information is stored on different LDAP servers. Both methods aim to improve performance and reliability, not security or privacy.References: [LDAP Integration], [LDAP]

The correct answer is D because the command save configuration  stores the Gaia configuration in a file for later reference1. The other commands are not valid in Gaia Clish1. References: Gaia R81.10 Administration Guide

The three types of UserCheck messages are inform, ask, and block. Inform messages notify users about security events and do not require any user action. Ask messages prompt users to choose whether to allow or block an action. Block messages prevent users from performing an action and display a reason1. References: Check Point R81 Logging and Monitoring Administration Guide

 To make John’s changes available to other administrators, and to save the database before installing a policy, John must publish the session. Publishing the session saves the changes to the database and makes them visible to other administrators1. The other options do not achieve this goal. References: Publishing a Session

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s3. The Management API’s support HTTPS protocol only, not HTTP3. The other methods are valid ways to communicate using the Management API’s3. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

Domain-based— VPN domains are pre-defined for all VPN Gateways. A VPN domain is a service or user that can send or receive VPN traffic through a VPN Gateway.

This statement is not true because a VPN domain is not a service or user, but a host or network that can send or receive VPN traffic through a VPN Gateway1. This is the definition given in the Site to Site VPN R81 Administration Guide1. The other statements are true according to the same guide1.

• Remote Access VPN R81.20 Administration Guide
• Site to Site VPN R81 Administration Guide
• DeepDive Webinar - R81.20 Seamless VPN Connection to Public Cloud

 If there are two administrators logged in at the same time to the SmartConsole, and there are objects locked for editing, the administrator who locked the objects must publish or discard the session to make them available to other administrators. Publishing or discarding the session will save or discard the changes made by the administrator and unlock the objects for editing by others3.

References: 3: Check Point R81 Security Management Administration Guide, page 18.

The licensing feature that is used to verify licenses and activate new licenses added to the License and Contracts repository is Automatic licensing and Verification tool1, p. 8. Automatic licensing is a feature that allows the Security Management Server to automatically attach licenses to Security Gateways. Verification tool is a feature that allows the Security Management Server to verify the validity of licenses and contracts2. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point Licensing and Contract Administration Guide R81

The default Gaia user that has full read/write access is admin3. The admin user is the superuser that can perform any administrative task on the Gaia system, such as configuring network settings, installing software updates, managing licenses, creating snapshots, and more. The admin user can also access the Gaia Portal, which is a web-based interface for managing Gaia settings and features. References: Check Point R81 Gaia Administration Guide

The Status Attention means that at least one Software Blade has a minor issue, but the gateway works1. For example, this could indicate a license expiration warning, a policy installation failure, or a blade activation problem2. References: Check Point R81 SmartConsole Guide, Check Point R81 Security Management Administration Guide

 Once a license is activated, a Service Contract file should be installed. This file contains information about the license expiration date, support level, and other details3. The other options are not valid file names.

References: 3: Check Point R81 Security Management Administration Guide, page 15.

According to the Hewlett Packard Enterprise Support Center3, the snapshot command uses the command line to create an image of the OS. A snapshot is a point-in-time copy of a disk partition that can be used to restore the system in case of a failure or corruption. References: Hewlett Packard Enterprise Support Center

 Captive Portal is a feature of Identity Awareness that allows you to authenticate users through a web browser before they access the Internet or corporate resources. Captive Portal can be used for various authentication methods, such as user name and password, one-time password (OTP), or certificate3. Captive Portal does not manage user permission in SmartConsole, provide remote access to SmartConsole, or authenticate users to the Gaia OS. Those are different functions that are not related to Captive Portal. References: Check Point R81 Identity Awareness Administration Guide

The command that shows the installed licenses in Expert mode is cplic print. This command displays information about the licenses that are installed on the local machine or a remote machine1. The other commands are not valid for showing licenses in Expert mode. 

 The command cplic print displays the installed licenses and their expiration dates on the CLI1. References: Check Point CLI Reference Card

The order of NAT priorities is Static NAT, IP pool NAT, and hide NAT. Static NAT has the highest priority because it is a one-to-one mapping of a private IP address to a public IP address. IP pool NAT has the second highest priority because it is a one-to-many mapping of a private IP address to a pool of public IP addresses. Hide NAT has the lowest priority because it is a many-to-one mapping of multiple private IP addresses to a single public IP address1.

References: 1: Check Point R81 Security Gateway Administration Guide, page 23.

Application Control is a blade that enables administrators to control access to applications and web sites by users, groups, machines, and time. Application Control can eliminate unknown and unwanted applications in your network to reduce IT complexity and application risk, identify and control which applications are in your IT environment and which to add to the IT environment, and automatically identify trusted software that has authorization to run1. However, Application Control cannot scan the content of files being downloaded by users in order to make policy decisions. That is the function of another blade called Content Awareness, which can inspect files based on their type, size, name, and data2. References: Check Point R81 Application Control Administration Guide, Check Point R81 Content Awareness Administration Guide

The difference between the Install Policy button on the SmartConsole’s tab and the Install Policy within a specific policy is that the former installs all the policies that are selected in the Install Policy window, while the latter pre-selects the installation for only the current policy and for the applicable gateways5 . The other options are not accurate differences. References: Installing Policies, [Check Point CCSA - R81: Practice Test & Explanation]

You should generate new licenses when the existing license expires, the license is upgraded, or the IP address associated with the license changes. These situations invalidate the current license and require a new one to be obtained from the Check Point User Center and installed on the Security Management Server or Security Gateway. Installing contract files or upgrading devices do not affect the validity of the license12 References: Check Point R81, Managing and Installing license via SmartUpdate

 The answer is A because changing the Security Gateway IP-address requires re-establishing the trust with the Security Management Server by initializing the Secure Internal Communication (SIC). Changing the Security Gateway name in command line or changing the Security Management Server name or IP-address in SmartConsole does not require re-establishing the trust, but it may require updating the topology and pushing the policy.References: [Check Point R81 Security Management Administration Guide], [Check Point R81 Security Gateway Administration Guide]

When changes are made to a Rule base, it is important to Publish database to enforce changes5. Publishing database saves the changes to the database and makes them available to other administrators. Installing policy applies the changes to the Security Gateways. References: Check Point R81 Security Management Administration Guide, [Check Point R81 SmartConsole R81 Resolved Issues], [Check Point R81 Firewall Administration Guide]

The difference between SSL VPN and IPSec VPN is that IPSec VPN requires installation of a resident VPN client and SSL VPN requires only an installed browser5 . IPSec VPN uses a pre-shared key or certificates to authenticate the endpoints and encrypts the data at the network layer. SSL VPN uses SSL/TLS protocols to authenticate the endpoints and encrypts the data at the application layer. References: Check Point Remote Access VPN Administration Guide R81, [Free Check Point CCSA Sample Questions and Study Guide]

The answer is A because changes applied to a User Directory template are reflected immediately for all users who are using that template. A User Directory template defines the settings for connecting to an LDAP server, such as the server name, port, base DN, user filter, and group filter. When a User Directory template is modified, all users who are using that template will inherit the changes without requiring any additional actions3 References: Check Point R81 Identity Awareness Administration Guide, [Check Point R81 User Directory Templates]

The answer is B because bridge mode deployment adds a Security Gateway to an existing environment without changing IP routing. Bridge mode is a transparent mode that does not require assigning IP addresses to the Security Gateway interfaces. Distributed deployment is a deployment where the Security Management Server and the Security Gateway are installed on separate machines. Remote deployment is a deployment where the Security Gateway is installed on a remote site and connects to the Security Management Server over a VPN tunnel. Standalone deployment is a deployment where the Security Management Server and the Security Gateway are installed on the same machine.References: [Check Point R81 Bridge Mode], [Check Point R81 Deployment Scenarios]

The command fwaccel stat shows the status of SecureXL, including whether Drop Templates are enabled or not1. References: Check Point SecureXL R81 Administration Guide

The main difference between Static NAT and Hide NAT is that Static NAT allows incoming and outgoing connections, while Hide NAT only allows outgoing connections4. Static NAT translates a single IP address to another single IP address, while Hide NAT translates a group of IP addresses to a single IP address. Static NAT is used to expose internal servers to external networks, while Hide NAT is used to hide internal hosts from external networks. References: Check Point R81 Firewall Administration Guide

 The BEST immediate action to take when you have discovered suspicious activity in your network is to create a suspicious action rule to block that traffic. A suspicious action rule is a special type of rule that is triggered when a predefined condition is met, such as a malicious file download, a ransomware attack, or a data exfiltration attempt13. A suspicious action rule can block the traffic, quarantine the source, or send an alert to the administrator. Creating a policy rule to block the traffic may not be effective if the traffic does not match the rule criteria or if the policy installation is delayed. Waiting until traffic has been identified before making any changes may allow the threat to spread or cause more damage. Contacting ISP to block the traffic may not be feasible or timely, and may also affect legitimate traffic. References: Check Point R81 Security Gateway Technical Administration Guide, Check Point CCSA - R81: Practice Test & Explanation | Udemy

 Check Point licenses are divided into two types: central and local. Central licenses are managed by a Security Management Server and can be attached to any Security Gateway managed by that server. Local licenses are tied to the IP address of a specific Security Gateway and cannot be transferred to a gateway that has a different IP address. Formal and corporate are not types of Check Point licenses. References: [Check Point R81 Licensing and Contract Administration Guide]

 Core Protections are installed as part of the Threat Prevention Policy. Core Protections are a set of IPS protections that are essential for securing your network against malicious traffic4. The other policies do not include Core Protections.

References: 1: Check Point CLI Reference Card 2: Anti-Spoofing 3: SmartView Tracker 4: Core Protections

While enabling the Identity Awareness blade, the Identity Awareness wizard does not automatically detect the Windows domain because the SmartConsole machine is not part of the domain. The SmartConsole machine needs to be a member of the Windows domain or have access to a domain controller in order to detect the domain automatically2.

References: 2: Check Point R81 Identity Awareness Administration Guide, page 10.

This answer is correct because these are two valid methods for mutually authenticating the VPN gateways, which means that both sides of the communication verify each other’s identity using a shared secret or a public key certificate1. A pre-shared secret is a password or a passphrase that both gateways know and use to encrypt and decrypt the VPN traffic2. A PKI certificate is a digital document that contains the public key and other information that helps identify the gateway, such as the issuer, the subject, and the expiration date3. The certificate is signed by a trusted certificate authority (CA) that vouches for the authenticity of the gateway3.

The other answers are not correct because they either include invalid or irrelevant methods for mutual authentication. PKI certificates and Kerberos tickets are not compatible methods for mutual authentication, because Kerberos tickets are issued by a Kerberos server and not by a CA4. Pre-shared secrets and Kerberos tickets are also not compatible methods for mutual authentication, because they use different protocols and encryption algorithms4. PKI certificates and DynamiciD OTP are not valid methods for mutual authentication, because DynamiciD OTP is a one-time password that is used for user authentication, not for gateway authentication5.

• What is mutual authentication? | Two-way authentication
• Mutual authentication - AWS Client VPN
• VPN authentication options - Windows Security
• Mutual Authentication | Top 3 Methods of Mutual Authentication
• Authentication methods and features - Microsoft Entra

The command api status shows the API server status, including whether it is enabled or not, the port number, and the API version1. References: Check Point R81 API Reference Guide

The most likely reason for Vanessa’s authentication failure is that she is using the wrong details for SmartConsole. Check Point Management software authentication details are not automatically the same as the Operating System authentication details. She needs to use the credentials that were defined during the initial configuration of the Security Management Server, or the ones that were assigned to her by the administrator12. The other options are not valid reasons for this error. References: SmartConsole Login, Check Point CCSA - R81: Practice Test & Explanation

 Threat Prevention is a comprehensive solution that protects networks from malicious attacks by using multiple security blades, such as Anti-Bot, Anti-Virus, IPS, Threat Emulation, and Threat Extraction. A Threat Prevention profile defines the actions and settings for each blade and can be applied to different network segments or scenarios. The Perimeter profile is one of the predefined profiles that uses sanitization technology to protect users from malicious files and links. Sanitization technology includes Threat Emulation and Threat Extraction blades, which can detect and remove malware from files and web content. References: [Check Point R81 Threat Prevention Administration Guide]

The option that is NOT an advantage of Stateful Inspection is No Screening above Network layer. Stateful Inspection is a firewall technology that inspects packets at all layers of the OSI model, from layer 3 (Network) to layer 7 (Application). Stateful Inspection provides screening above Network layer, such as checking TCP flags, sequence numbers, ports, and application protocols . The other options are advantages of Stateful Inspection, as it provides high performance, good security, and transparency for legitimate traffic.

References: Stateful Inspection Technology, Firewall Administration Guide

 Gaia has two default user accounts that cannot be deleted. They are Admin and Monitor. Admin is the user account that has full administrative privileges and can access both WebUI and CLI. Monitor is the user account that has read-only privileges and can access only WebUI2. The other options are not default user accounts in Gaia.

When an encrypted packet is decrypted, this happens in the security policy4. The security policy is a set of rules that defines how the Security Gateway inspects and secures traffic. The security policy includes VPN rules that specify which traffic should be encrypted or decrypted. The inbound and outbound chains are part of the inspection framework that processes packets according to the security policy. References: Check Point R81 VPN Administration Guide

The Sticky Decision Function (SDF) can only be changed for Load Sharing implementations, not for High Availability implementations4. References: Check Point ClusterXL R81 Administration Guide

SmartView Monitor is the tool that allows you to monitor the top bandwidth on SmartConsole. SmartView Monitor is a graphical tool that displays real-time network and security performance data, such as traffic, throughput, connections, CPU usage, memory usage, etc. You can use SmartView Monitor to identify the top bandwidth consumers and optimize your network performance.References: [SmartView Monitor], [Monitoring Network Traffic]

The two Identity Awareness daemons that are used to support identity sharing are Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a daemon that runs on the Security Management Server or a dedicated Identity Awareness Server and provides identity information to other components. PEP is a daemon that runs on the Security Gateway and enforces identity-based rules based on the information received from the PDP. Identity sharing is a feature that allows PDPs and PEPs to exchange identity information across different domains or networks. References: [Check Point R81 Identity Awareness Administration Guide]

 RADIUS Accounting gets identity data from requests generated by the accounting client. RADIUS Accounting is a feature that allows tracking and measuring resource usage of network services by users. The accounting client, which is usually a network access server (NAS), sends accounting requests to a RADIUS server with information about user sessions, such as start and stop times, bytes transmitted and received, IP addresses, etc. The RADIUS server records this information in a database for billing, auditing, or reporting purposes. One of the mandatory attributes that the accounting client must include in every accounting request is the User-Name attribute, which identifies the user who is accessing the network service.

The key C is used to save the current CPView page in a filename format cpview_“cpview process ID”. cap”number of captures”2. References: Free Check Point CCSA Sample Questions and Study Guide

In order to install a license, it must first be added to the License and Contract repository. The License and Contract repository is a centralized database that stores all the licenses and contracts for Check Point products. It allows you to manage, activate, and attach licenses to your Check Point products.

References: Check Point Security Management Administration Guide R81, p. 19-20

There are two default users on Gaia Platform and neither can be deleted. The two default users are admin and monitor. The admin user has full access to the Gaia configuration and management tools, such as CLI and WebUI. The monitor user has read-only access to the Gaia configuration and management tools, and can only view the system status and settings. These two users cannot be deleted, but their passwords can be changed.References: [Gaia Administration Guide], [Gaia Overview]

The main objective when using Application Control is to ensure security and privacy of information4. Application Control enables administrators to control access to web applications and web sites based on risk level, user identity, and other criteria. It also provides visibility into web usage and application activity. References: Check Point R81 Application Control Administration Guide

An LDAP server holds one or more Account Units. An Account Unit is a logical representation of an LDAP server in the Check Point database. It defines the connection parameters, authentication methods, and user and group information that are retrieved from the LDAP server. An Account Unit allows the Security Gateway to use the LDAP server for user authentication and identity awareness. The other options are incorrect. A Server Unit is a logical representation of a Check Point server in the Check Point database. An Administrator Unit is a logical representation of an administrator or an administrator group in the Check Point database. An Account Server is not a valid term in Check Point terminology. References: [Check Point R81 Identity Awareness Administration Guide], [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

When doing a Stand-Alone Installation, you would install the Security Management Server with none of the other Check Point architecture components. A Stand-Alone Installation is a type of installation that combines the Security Management Server and the Security Gateway on one computer or appliance3, p. 14. SmartConsole, SecureClient, and SmartEvent are not Check Point architecture components, but software applications that can be installed separately. References: Check Point CCSA - R81: Practice Test & Explanation, [Check Point Installation and Upgrade Guide R81]

CloudGuard is not a valid deployment option for R80. CloudGuard is a product name for Check Point’s cloud security solutions, not a deployment mode. The valid deployment options for R80 are all-in-one (stand-alone), distributed, and bridge mode. In an all-in-one deployment, the Security Management Server and Security Gateway are installed on the same machine. In a distributed deployment, the Security Management Server and Security Gateway are installed on separate machines. In a bridge mode deployment, the Security Gateway acts as a transparent bridge between two network segments and does not have an IP address of its own3References: CloudGuard, [Part 4 - Installing Security Gateway], [Deployment Options]

The tracking actions that can be selected when configuring Spoof Tracking are Log, alert, none. Spoof Tracking is a feature that detects packets with spoofed source IP addresses and logs them in SmartView Tracker. The administrator can choose to log only, log and alert, or do nothing when spoofed packets are detected. The other options are not valid tracking actions for Spoof Tracking, as they are either not available or not relevant for this feature.

References: [Spoof Tracking], [Firewall Administration Guide]

 DLP and Geo Policy are examples of Shared Policies. Shared Policies are policies that can be shared with other policy packages to save time and effort when managing multiple gateways with similar security requirements. Shared Policies can be applied to Access Control, Threat Prevention, and HTTPS Inspection layers. Other types of policies include Inspection Policies, Unified Policies, and Standard Policies. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 SmartConsole R81 Resolved Issues]

The correct answer is A because the traffic from source 192.168.1.1 to www.google.com is handled by the Slow Path if the Application Control Blade on the gateway is inspecting the traffic 2. The Slow Path is used when traffic requires inspection by one or more Software Blades2. The other paths are used for different scenarios2. References: Check Point R81 Performance Tuning Administration Guide

The reason why querying logs now are very fast is that Indexing Engine indexes logs for faster search results. Indexing Engine is a component of R81 Management that creates and maintains an index of log data, which enables quick and efficient log searches4. The other options are not related to the speed of log querying. The amount of logs being stored may vary depending on the log retention settings. New Smart-1 appliances may have improved hardware specifications, but they do not affect the log querying process directly. SmartConsole queries results from the Security Management Server, not from the Security Gateway.

References: 1: HTTPS Inspection 2: Browser-Based Authentication 3: URL Filtering 4: Indexing Engine

 Identity Awareness is the Check Point software blade that provides visibility of users, groups and machines while also providing access control through identity-based policies. Identity Awareness enables administrators to define granular access rules based on user or machine identity, rather than just IP addresses. Identity Awareness also allows administrators to monitor user activity and generate reports based on user or machine identity.

This answer is correct because the vpn tu command is used for VPN tunnel management and shows detailed information about VPN tunnels, such as the tunnel ID, peer IP, encryption domain, and status1. This command will bring up a menu for you to choose from, such as list all IPsec SAs, delete all IPsec SAs, or delete IPsec SA for given peer1.

The other answers are not correct because they either show different information or do not exist as commands. The cat $FWDlR/conf/vpn.conf command shows the VPN configuration file, which contains the VPN domains, communities, and encryption settings2. The vpn tu tlist command does not exist, but it might be confused with the vpn tunnelutil tlist command, which shows the tunnel utilization statistics3. The cpview command shows the Check Point real-time performance monitoring tool, which displays various system and network parameters, such as CPU, memory, disk, interfaces, and VPN4.

• How to use the “vpn tu” command for VPN tunnel management
• New VPN daemons in R81.10 / R81.20 - Check Point CheckMates
• Remote Access VPN R81.20 Administration Guide - Check Point Software
• Remote Access VPN R81 Administration Guide - Check Point Software

This answer is correct because a standalone deployment is a valid option for installing a Check Point Security Gateway and a Security Management Server on the same machine1. This option is suitable for small or medium-sized networks that do not require high availability or load balancing1.

The other answers are not correct because they are either invalid or irrelevant options for deployment. CloudSec deployment is not a valid option, but it might be confused with CloudGuard, which is a Check Point solution for securing cloud environments2. Disliked deployment is not a valid option, but it might be a typo for Distributed deployment, which is a valid option for installing a Check Point Security Gateway and a Security Management Server on separate machines1. Router only deployment is not a valid option, but it might be confused with Router mode, which is a configuration option for a Check Point Security Gateway that enables it to act as a router and forward packets between interfaces3.

• Gaia R81.20 Administration Guide
• CloudGuard Network Security
• Configuring Router Mode in Gaia Clish

The actions available in the “Actions” column of a rule in HTTPS Inspection policy are “Inspect” and “Bypass”. “Inspect” means that the HTTPS traffic will be decrypted and inspected according to the Access Control policy. “Bypass” means that the HTTPS traffic will not be decrypted and will be allowed without inspection1. The other options are not valid actions for HTTPS Inspection policy.

 If AdminB sees a lock icon on a rule, it means that the rule is locked by AdminA and will be made available if the session is published. A session is a set of changes made by an administrator in SmartConsole. A session can be published to save and share the changes with other administrators, or discarded to cancel the changes and unlock the objects1.

References: 1: Check Point R81 Security Management Administration Guide, page 18.

 In Hide NAT, only the source IP address is translated to a different IP address4. This is used to hide a group of hosts behind a single IP address, usually the external interface of the Security Gateway. References: Check Point R81 Firewall Administration Guide

The INSPECT Engine is the core component of Check Point’s Stateful Inspection technology. It is used to extract state related information from packets and store that information in state tables. The INSPECT Engine also evaluates the security policy and enforces it on the packets1. References: Check Point R81 Security Gateway Technical Administration Guide

 In R80 Management, apart from using SmartConsole, objects or rules can also be modified using a complete CLI and API interface using SSH and custom CPCode integration. This allows you to automate tasks, integrate with third-party tools, and create custom scripts . 3rd Party integration of CLI and API for Gateways or Management prior to R80 is not relevant for R80 Management. A complete CLI and API interface for Management with 3rd Party integration is not a specific option. References: [Check Point R81 Security Management Administration Guide], [Check Point Learning and Training Frequently Asked Questions (FAQs)]

The correct answer is A because detecting and blocking malware by correlating multiple detection engines before users are affected is not a feature of the Check Point URL Filtering and Application Control Blade3. This feature is part of the Check Point Anti-Virus and Anti-Bot Blades3. The other options are features of the Check Point URL Filtering and Application Control Blade3. References: Check Point R81 URL Filtering and Application Control Administration Guide

The Internal Certificate Authority (ICA) is created during the primary Security Management Server installation process. The ICA is a component that issues and manages certificates for Check Point products. The ICA is automatically installed and initialized when installing the Security Management Server.

References: : Check Point R81 Security Management Administration Guide, page 26.

 The best upgrade method when the management server is not connected to the Internet is CPUSE offline upgrade . This method allows you to download the upgrade package from another source and install it manually on the management server. The other methods require Internet connection or are not supported for R80.10. References: [R80.10 Upgrade Verification and FAQ], [Check Point CCSA - R81: Practice Test & Explanation]

 The purpose of the CPCA process is generating and modifying certificates. CPCA stands for Check Point Certificate Authority and it is a process that runs on the Security Management Server or Log Server. It is responsible for creating and managing certificates for internal communication between Check Point components, such as SIC . References: [Check Point R81 Quantum Security Management Administration Guide], [Check Point R81 Quantum Security Gateway Guide]

The four policy types available for each policy package are Access Control, Threat Prevention, NAT, and HTTPS Inspection. Access Control is the policy type that defines the basic firewall rules. Threat Prevention is the policy type that enables the protection against various types of attacks, such as IPS, Anti-Virus, Anti-Bot, etc. NAT is the policy type that defines the network address translation rules. HTTPS Inspection is the policy type that allows the inspection of encrypted traffic1. The other options are not valid policy types for each policy package.

 In Office mode, a Security Gateway assigns a remote client to an IP address once the user connects and authenticates. Office mode allows a remote client to get an IP address from the internal network of the organization. The IP address is assigned during the IKE negotiation, after the user has successfully authenticated with the Security Gateway3. The other options are not correct timings for assigning an IP address in Office mode. References: Office Mode

 Anti-Virus is the single Security Blade that can be turned on to block both malicious files from being downloaded as well as block websites known to host malware. Anti-Virus scans files and email attachments for viruses, worms, trojans, and other types of malware. It also uses ThreatCloud, a collaborative network that delivers real-time dynamic security intelligence, to detect unknown malware based on their behavior3. Anti-Bot is a Security Blade that detects and blocks botnet communications, but it does not scan files or block websites. URL Filtering is a Security Blade that enables administrators to control access to web applications, but it does not scan files or detect malware.

The correct answer is D because the command save configuration  stores the Gaia configuration in a file for later reference1. The other commands are not valid in Gaia Clish1. References: Gaia R81.10 Administration Guide

 Log query results can be exported to Comma Separated Value (csv) file format. CSV is a file format that stores tabular data in plain text. It is compatible with various applications, such as Excel, Google Sheets, etc. The other options are not valid file formats for exporting log query results.

References: 1: Gaia Roles 2: Gaia Default Users 3: Anti-Virus : [Exporting Logs]

The CDT utility supports all upgrades, including major version upgrades, Jumbo HFA’s, and hotfixes3. References: Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent

Upgrading the Security Gateway does not require a new license to be generated and installed. The license is tied to the IP address or hostname of the Security Gateway, not the software version. However, if the IP address or hostname changes, the existing license expires, or the license is upgraded, a new license must be generated and installed12 References: Check Point R81, Managing and Installing license via SmartUpdate

Once a certificate is revoked from the Security Gateway by the Security Management Server, the certificate information is stored on the Certificate Revocation List (CRL)1, p. 47. The CRL is a list of certificates that have been revoked before their expiration date4. References: Check Point CCSA - R81: Practice Test & Explanation, Free Check Point CCSA Sample Questions and Study Guide

When a gateway requires user information for authentication, it queries servers for user information in the following order: first the internal user database, then the generic external user profile, and finally LDAP servers in order of priority. The internal user database is a local database that stores user information on the Security Gateway or Security Management Server. The generic external user profile is a predefined profile that allows users to authenticate with any external server that supports RADIUS or TACACS protocols. LDAP servers are external servers that use the Lightweight Directory Access Protocol to store and retrieve user information. The gateway queries LDAP servers according to the priority that is defined in the LDAP Account Unit object properties. 

The policy type that is used to enforce bandwidth and traffic control rules is QoS. QoS stands for Quality of Service and is a software blade that allows administrators to prioritize network traffic according to various criteria such as source, destination, service, application, user, etc. QoS can also limit the bandwidth consumption of certain traffic types or guarantee a minimum bandwidth for critical applications. References: [Check Point R81 QoS Administration Guide]

When tunnel test packets no longer invoke a response, SmartView Monitor displays Down for the given VPN tunnel1. This means that the VPN tunnel is not operational and there is no IKE or IPsec traffic passing through it. No Response, Inactive, and Failed are not valid statuses for VPN tunnels in SmartView Monitor. References: Smart View Monitor displays status for all S2S VPN tunnels - Phase1 UP

Smart Cloud Services is an option for deployment of Check Point SandBlast Zero-Day Protection. It is a cloud-based service that provides advanced threat prevention for files and URLs, without requiring any on-premise infrastructure or appliances . References: [Check Point SandBlast Zero-Day Protection], [Smart Cloud Services]

The SOLR database is used for full text search and enables powerful matching capabilities3 . SOLR is an open source enterprise search platform that provides fast and scalable indexing and searching of data. It supports advanced features such as faceting, highlighting, spell checking, synonyms, etc. The SOLR database is used by Check Point products such as SmartLog and SmartEvent to store and query logs and events3 . The other options are incorrect. Option B is false, as SOLR does not write data to the database, but only reads data from it. Option C is false, as SOLR does not serve GUI, but only provides a RESTful API for queries. Option D is false, as SOLR does not enable powerful matching capabilities and write data to the database, but only enables powerful matching capabilities. References: SOLR - Check Point Software, [Apache Solr]

If there is an Accept Implied Policy set to “First”, Jorge cannot see any logs because Log Implied Rule was not selected on Global Properties. The Log Implied Rule option enables logging for all implied rules, such as DHCP, anti-spoofing, and cleanup rules.

References: : Check Point R81 Security Management Administration Guide, page 103.

The Secure Network Distributor (SND) is a feature of the Security Gateway that is used to distribute packets among Firewall instances . It improves the performance and scalability of the Firewall by utilizing multiple CPU cores. The other options are not related to SND. References: [Check Point Security Gateway Architecture and Packet Flow], [Free Check Point CCSA Sample Questions and Study Guide]

Application information is included in the “Extended Log” tracking option, but is not included in the “Log” tracking option4. The “Extended Log” option provides additional information about the application, such as name, category, risk, and technology4. References: LOGGINGAND MONITORING R80

 The procedure that SmartEvent does not use to identify events is matching a log against local exclusions. Local exclusions are used to filter out logs that are not relevant for SmartLog, not SmartEvent12. SmartEvent uses the other procedures to identify events based on event definitions, event candidates, and global exclusions3 . References: SmartLog R81 Administration Guide, Check Point CCSA - R81: Practice Test & Explanation, SmartEvent R81 Administration Guide, [Free Check Point CCSA Sample Questions and Study Guide]

A main component of the Check Point security management architecture is SmartConsole2. SmartConsole is a unified graphical user interface that allows administrators to manage multiple security functions such as firewall, VPN, IPS, application control, URL filtering, identity awareness, and more. SmartConsole connects to the Security Management Server and interacts with other Check Point components such as Security Gateways and Endpoint Security Servers. References: Check Point R81 Security Management Administration Guide

The three main components of Check Point security management architecture are SmartConsole, Security Management, and Security Gateway5. SmartConsole is the graphical user interface that allows administrators to manage and monitor Check Point products. Security Management is the server that stores the security policy and configuration data. Security Gateway is the device that enforces the security policy on the network traffic. References: Check Point R81 Security Management Administration Guide

To view the policy installation history for each gateway, an administrator would use the Installation history tool1, p. 22. The Installation history tool shows the date and time of each policy installation, the name of the administrator who installed it, and the status of the installation3. Revisions, Gateway installations, and Gateway history are not valid tools in SmartConsole. References: Check Point CCSA - R81: Practice Test & Explanation, Check Point SmartConsole R81 Help

 The product that correlates logs and detects security threats, providing a centralized display of potential attack patterns from all network devices is SmartEvent. SmartEvent is a software blade that analyzes logs from various sources such as Security Gateways, Endpoint Security Servers, Identity Awareness Servers, etc. and generates security events based on predefined or custom rules. SmartEvent provides a graphical interface for viewing and managing security events in real-time or historical mode. References: [Check Point R81 SmartEvent Administration Guide]

The TCP/IP model is made up of four layers: Application, Transport, Internet, and Network Interface1, p. 10. The TCP/IP model is a simplified version of the OSI model, which has seven layers: Application, Presentation, Session, Transport, Network, Data Link, and Physical. References: Check Point CCSA - R81: Practice Test & Explanation, [TCP/IP Model Explained]

The option that allows traffic to VPN gateways in specific VPN communities is Specific VPN Communities4. This option enables you to define which VPN communities are allowed in the rule. All Connections (Clear or Encrypted) allows traffic to any destination, regardless of whether it is encrypted or not. Accept all encrypted traffic allows traffic to any encrypted destination, regardless of the VPN community. All Site-to-Site VPN Communities allows traffic to any site-to-site VPN gateway, regardless of the VPN community4. Therefore, the correct answer is C. Specific VPN Communities.

Threat Prevention is a comprehensive solution that protects networks from malicious attacks by using multiple security blades, such as Anti-Bot, Anti-Virus, IPS, Threat Emulation, and Threat Extraction. These are the Threat Prevention software components available on the Check Point Security Gateway. IPS (Intrusion Prevention System) is a blade that detects and prevents network attacks by using signatures and behavioral patterns. Anti-Bot is a blade that detects and blocks botnet communications by using reputation services and heuristics. Anti-Virus is a blade that scans files and web content for malware by using signatures and emulation. Threat Emulation is a blade that analyzes suspicious files in a sandbox environment and blocks malicious files from entering the network. Threat Extraction is a blade that removes exploitable content from files and delivers clean files to users2. References: Check Point R81 Threat Prevention Administration Guide

 The answer is B because AES-CBC-256 is not a supported encryption algorithm for IPsec Security Associations (Phase 2) in R81. The supported encryption algorithms are AES-GCM-128, AES-GCM-256, AES-CBC-128, 3DES, and NULL3 References: Check Point R81 VPN Administration Guide

The Application Layer Firewalls inspect traffic through the Lower layer(s) of the TCP/IP model and up to and including the Application layer. The lower layers are the Physical, Data Link, and Network layers, which deal with the transmission and routing of packets. The Application layer is the highest layer of the TCP/IP model, which provides services and protocols for specific applications such as HTTP, FTP, SMTP, etc. The Application Layer Firewalls can inspect the content and context of the traffic and enforce granular security policies based on various criteria such as user identity, application identity, content type, etc. References: [Check Point R81 Firewall Administration Guide]

The command to restore a backup of Check Point configurations without the OS information is restore_backup4. This command restores the Gaia OS configuration and the firewall database from a compressed file. The other commands are not valid for this purpose. import backup is not a valid command. cp_merge is a command to merge policies or objects from different databases. migrate import is a command to import a previously exported database using migrate export. References: System Backup and Restore feature in Gaia, [cp_merge], [migrate import]

In a Distributed Environment, a Central License can be installed via CLI on a Security Gateway using the CPLIC command1. This command allows you to install a license from a file or from the User Center1. Therefore, the correct answer is D. True, Central License can be installed with CPLIC command on a Security Gateway. 

Aggressive Mode in IKEv1 uses three packets for negotiation, with all data required for the SA passed by the initiator1. The responder sends the proposal, key material, and ID, and authenticates the session in the next packet. The initiator replies and authenticates the session1.

The other answers are not correct because they either refer to the Main Mode in IKEv1, which uses six packets for negotiation2, or they are irrelevant to the number of packets used in Aggressive Mode.

• Understand IPsec IKEv1 Protocol - Cisco
• Negotiation modes for phase 1 - IBM
• FAQ-What are the differences between IKEv1 and IKEv2- Huawei

The default shell of the Gaia CLI is cli.sh, which provides a limited set of commands for basic configuration and troubleshooting. To change from the cli.sh shell to the advanced shell (also known as expert mode) to run Linux commands, the administrator needs to execute the command ‘expert’ in the cli.sh shell

The command add rba user roles  is used to add users to or from existing roles. RBA stands for Role-Based Administration, which is a feature that allows administrators to assign different permissions and access levels to users based on their roles2.

References: 2: Check Point R81 Security Management Administration Guide, page 20.

 Security Gateway software blades must be attached to a Security Gateway container. A Security Gateway container is a logical object that represents a physical or virtual machine that runs the Security Gateway software. A software blade is a modular security feature that can be enabled or disabled on a Security Gateway container. A software blade can provide functions such as firewall, VPN, IPS, anti-virus, anti-bot, application control, URL filtering, etc.References: [Security Gateway Containers], [Software Blades]

A Distinguished Name (DN) is a unique identifier for an entry in an LDAP directory. A DN consists of a sequence of relative distinguished names (RDNs) separated by commas. Each RDN is composed of an attribute type and an attribute value, such as cn=John Smith or ou=Sales. A DN can have different components depending on the structure and schema of the LDAP directory, but some common components are: Common Name (cn), Country ©, Organizational Unit (ou), Organization (o), State or Province (st), and Locality (l). User container is not a component of a DN3. References: Check Point R81 Identity Awareness Administration Guide

 Security questions are not an authentication scheme used for accounts created through SmartConsole4. The available authentication schemes are Check Point password, RADIUS, TACACS, SecurID, LDAP, and Certificate. References: Check Point R81 Security Management Administration Guide

 The command that can be used to determine the software version from the CLI is fw ver. This command displays the version of the firewall module and the build number3 . fw stat, fw monitor, and cpinfo are not commands for software version identification. References: Check Point R81 Command Line Interface Reference Guide, [156-315.81 Checkpoint Exam Info and Free Practice Test - ExamTopics]

The steps you will need to do in SmartConsole in order to get the connection working behind the Internet Security Gateway are:

• Define an accept rule in Security Policy. This rule allows the traffic from your internal networks to pass through the Security Gateway.
• Define automatic NAT for each network to NAT the networks behind a public IP. This option translates the private IP addresses of your internal networks to a public IP address assigned by your ISP router. This way, your internal networks can communicate with the Internet using a valid IP address.
• Publish and install the policy. This step applies the changes you made to the Security Gateway and activates the security and NAT rules.

References: Check Point R81 Quantum Security Gateway Guide

Suspicious Activity Monitoring (SAM) is the utility that is used to block activities that appear to be suspicious. SAM allows administrators to block connections from specific IP addresses or network objects for a specified period of time3. Penalty Box is a feature of SAM that automatically blocks connections from sources that generate too many log entries. Drop Rule in the rulebase is a firewall action that discards packets that match certain criteria. Stealth rule is a firewall rule that prevents direct access to the Security Gateway from external sources.

The correct answer is D because sending API commands over an http connection using web-services is not one of the ways to communicate using the Management API’s3. The Management API’s support HTTPS protocol only, not HTTP3. The other methods are valid ways to communicate using the Management API’s3. References: Check Point Learning and Training Frequently Asked Questions (FAQs)

Service blades must be attached to a Security Gateway. A Security Gateway is a device that enforces security policies on traffic that passes through it. A service blade is a software module that provides a specific security function, such as firewall, VPN, IPS, etc. A Security Gateway can have one or more service blades attached to it, depending on the license and hardware capabilities. The other options are incorrect. A management container is a virtualized environment that hosts a Security Management Server or a Log Server. A management server is a device that manages security policies and distributes them to Security Gateways. A Security Gateway container is not a valid term in Check Point terminology. References: [Check Point R81 Security Management Administration Guide], [Check Point R81 CloudGuard Administration Guide]

CPUSE - Check Point Upgrade Service Engine is the tool that allows for the automatic updating of the Gaia OS and Check Point products installed on the Gaia OS. CPUSE is a web-based tool that simplifies the installation of software updates, hotfixes, and upgrade packages on Gaia OS2. The other options are not valid tools for updating Gaia OS and Check Point products.

The administrator can edit a list of trusted SmartConsole clients in three ways: in cpconfig on a Security Management Server, in the WebUI logged into a Security Management Server, and in SmartConsole: Manage and Settings > Permissions and Administrators > Advanced > Trusted Clients

 UserCheck is not an identity source used for Identity Awareness. UserCheck is a feature that allows you to interact with users when they trigger Data Loss Prevention or Threat Prevention incidents2. Identity Awareness uses different methods to acquire identities, such as AD Query, Identity Agent, Browser-Based Authentication, Terminal Servers, Captive Portal, and RADIUS3 . Therefore, the correct answer is B. UserCheck.

Permissions and Administrators are defined on the Manage and Settings tab in SmartConsole3. This tab allows you to create and manage administrator accounts, roles, permissions, and authentication methods for accessing SmartConsole and other Check Point management interfaces. References: Check Point R81 Security Management Administration Guide

The command api status shows the API server status, including whether it is enabled or not, the port number, and the API version1. References: Check Point R81 API Reference Guide

Logs & Monitor is the SmartConsole tab that is used to monitor network and security performance. This tab allows you to view and analyze logs and events from various sources, such as Security Gateways, Security Management Servers, and SmartEvent Servers. You can also use this tab to generate reports and troubleshoot issues. References: [Logging and Monitoring Administration Guide R80.20]

The “Hit Count” feature is enabled or disabled on the Policy layer in SmartConsole1. To enable or disable the “Hit Count” feature, right-click on the Policy layer and select “Edit Layer”. Then, check or uncheck the “Enable Hit Count” option1. References: Solved: Hit Count in R80.x

 To use Application objects in a rule, the “Applications & URL Filtering” blade should be enabled on the policy layer where the rule is being created. Enabling the “Application Control” blade on a gateway is not enough3.

References: 3: Check Point R81 Security Management Administration Guide, page 102.